SELinux configuration conflicts
SELinux is a security module that facilitates the implementation of access control security policies in Linux systems. In some distributions, like Fedora and RHEL, SELinux is enabled in Enforcing mode by default.
By default, SELinux applies the following limitations to the rsyslog process. For example:
- SELinux prevents rsyslog from sending to a port other than 514/UDP (standard syslog port).
- rsyslog has limited access to other files and directories outside its initial configuration.
This article describes how to add the necessary exceptions to SELinux to enable sending data to Devo over TCP when using rsyslog. The procedure is identical when using syslog-ng. The exceptions will enable:
- rsyslog to communicate with the Devo relay through the different ports
- rsyslog to access the files and directories needed (for example, the user certificate)
SELinux can have one of three status:
- Enforcing - SELinux is enabled and will block all actions that are not permitted by the security policy.
- Permissive - SELinux is enabled. However, it will allow actions that are not permitted by the security policy, and log an event when the action is carried out.
- Disable - SELinux is disabled.
If SELinux is running in Enforcing mode, it could be interfering with the communications between rsyslog and the Devo relay.
Run the following command to find out what status SElinux is currently in:
The easiest way to diagnose if you have a configuration problem due to SELinux is to disable it temporarily and see if that solves the problem.
If SELinux is in Enforcing mode, use the following commands switch to SELinux to Permissive mode, then restart the rsyslog service:
sudo setenforce 0 sudo service rsyslog restart
Check if the log sending is working. To re-enable SELinux, run:
sudo setenforce 1 sudo service rsyslog restart
These commands only make temporary changes to the SELinux status. If you restart the machine, the status will automatically be set to the status level defined in the /etc/selinux/config file.
From a security point of view it is not advisable, but if you want to permanently set the status you can edit the /etc/selinux/config file:
SELINUX=disabled # Disable permanently SELinux SELINUX=permissive # Disable Enforce mode but keeps on recording the actions that should be blocked
- SELinux records all actions in /var/log/audit/audit.log
- A change in the general configuration requires a restart of the machine.
Adding exceptions to SELinux
The SELinux commands that involve the recompiling of policies may take a while to run.
If you do not have the semanage command, install the policycoreutils package:
yum install policycoreutils apt-get install policycoreutils
Now, check which ports syslog can send to.
sudo semanage port -l| grep syslog syslogd_port_t udp 514
Enable a new port in the security policy. For example, if we want to be able to send cleartext data to port 12345/TCP, the command would be as follows:
sudo semanage port -a -t syslogd_port_t -p tcp 12345
To add a port that is already being used for another purpose, we have to register the port. In this example port 443/TCP is used for secure sending and also for the web server policy.
sudo semanage port -m -t syslogd_port_t -p tcp 443
Depending on the distribution, you need to authorize the /var/spool/rsyslog directory:
sudo semanage fcontext -a -t syslogd_var_lib_t "/var/spool/rsyslog(/.*)?" sudo restorecon -R -v /var/spool/rsyslog
It might also be necessary to authorize /etc/rsyslog.d/* so that rsyslog can read the user SSL certificate:
sudo semanage fcontext -a -t syslog_conf_t "/etc/rsyslog.d(/.*)?" sudo restorecon -R -v /etc/rsyslog.d/ sudo semanage fcontext -a -t etc_t "/etc/rsyslog.d" sudo restorecon -v /etc/rsyslog.d
Now restart rsyslog:
sudo service rsyslog restart